HackDig : Dig high-quality web security articles for hacker

Intruder and CSRF-protected form, without macros

Introduction In these days, CSRF tokens are more and more prevalent in Web applications. As a consequence, managing tokens within an intercepting proxy is a very common task for pentesters and bug hunters alike. From what I read online, most users of Burp Suite Pro tend to use Macros and Session handling rules as soon as CSRF tokens are involved, and that m
Publish At:2020-01-13 22:25 | Read:291 | Comments:0 | Tags: Csrf

Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities

Title: Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities Advisory ID: ZSL-2019-5543 Type: Local/Remote Impact: Cross-Site Scripting Risk: (3/5) Release Date: 30.11.2019SummaryCarlo Gavazzi is an international company that develops, manufacturesand sells elec
Publish At:2019-11-30 22:35 | Read:607 | Comments:0 | Tags: Xss Csrf

Researcher spotted flaws in the web-based version of popular Sarahah app

A security researcher discovered a number of embarrassing vulnerabilities in the popular anonymous feedback app Sarahah. The anonymous feedback app Sarahah makes the headlines once again, according to the according to security researcher Scott Helme, the web-based version of the app is plagued with security flaws. Sarahah mobile app allows users to receive a
Publish At:2017-10-24 13:20 | Read:2395 | Comments:0 | Tags:Breaking News Hacking CSRF mobile app Sarahah web applicatio

DefenseCode Security Advisory: Magento Commerce CSRF, Stored Cross Site Scripting #1

            DefenseCode Security Advisory   Magento Commerce CSRF, Stored Cross Site ScriptingAdvisory ID: DC-2017-09-001Advisory Title: Magento CSRF, Stored Cross Site ScriptingAdvisory URL:http://www.defensecode.com/advisories/DC-2017-09-001_Magento_CSRF_Stored_Cross_Site_Scripting.pdfSoftware: Magento Commerce, CESoftware Language: PHPVersion: Magento CE
Publish At:2017-10-07 06:20 | Read:3960 | Comments:0 | Tags: Csrf

DefenseCode Security Advisory: Magento Commerce CSRF, Stored Cross Site Scripting #2

             DefenseCode Security Advisory    Magento Commerce CSRF, Stored Cross Site ScriptingAdvisory ID: DC-2017-09-002Advisory Title: Magento CSRF, Stored Cross Site ScriptingAdvisory URL:http://www.defensecode.com/advisories/DC-2017-09-002_Magento_CSRF_Stored_Cross_Site_Scripting.pdfSoftware: Magento Commerce, CESoftware Language: PHPVersion: Magento C
Publish At:2017-10-07 06:20 | Read:3606 | Comments:0 | Tags: Csrf

CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can (WordPress plugin)

Details================Software: Content AuditVersion: 1.9.1Homepage: https://wordpress.org/plugins/content-audit/Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/CVE: Awaiting assignmentCVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)Description================CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almo
Publish At:2017-09-27 05:40 | Read:2752 | Comments:0 | Tags: Xss Csrf

EE 4GEE Multiple Security Vulnerabilities Advisory (CSRF/Stored XSS/JSONP)

EE 4GEE Wireless Router - Multiple Security Vulnerabilities Advisory-------------------------------------------------Hardware Version/Model: 4GEE WiFi MBB (EE60VB-2AE8G83).Vulnerable Software Version: EE60_00_05.00_25.Patched Software Version: EE60_00_05.00_31.Product URL:https://shop.ee.co.uk/dongles/pay-monthly-mobile-broadband/4gee-wifi/detailsProof of Co
Publish At:2017-09-08 11:20 | Read:2562 | Comments:0 | Tags: Xss Csrf

CVE-2017-11567 Mongoose Web Server v6.5 CSRF Command Execution

[+] Credits: John Page AKA hyp3rlinx[+] Website: hyp3rlinx.altervista.org[+] Source:http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt[+] ISR: apparitionSecVendor:===============www.cesanta.comProduct:==================Mongoose Web Server (Free Edition)Mongoose-free-6.5.exeDownload: https://cesanta.com/binary.htmlM
Publish At:2017-09-05 07:45 | Read:1974 | Comments:0 | Tags: Csrf

CSRF vulnerabilities in D-Link DVG-5402SP

Hello list!There are multiple Cross-Site Request Forgery vulnerabilities in D-Link DVG-5402SP VoIP Router.-------------------------Affected products:-------------------------Vulnerable is the next model: D-Link DVG-5402SP, Firmware RU_1.01. Other versions also must be vulnerable.Since December 2014 the developers didn't answer me concerning vulnerabilit
Publish At:2017-08-01 19:25 | Read:2859 | Comments:0 | Tags: Csrf

CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker to change any setting within the plugin (WordPre

Details================Software: YouTubeVersion: 11.8.1Homepage: https://wordpress.org/plugins/youtube-embed-plus/Advisory report: https://security.dxw.com/advisories/csrf-in-youtube-plugin/CVE: Awaiting assignmentCVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)Description================CSRF in YouTube (WordPress plugin) could allow unauthenticated attacker t
Publish At:2017-07-27 02:00 | Read:2615 | Comments:0 | Tags: Csrf

Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access

Title: Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access Advisory ID: ZSL-2017-5416 Type: Local/Remote Impact: Cross-Site Scripting, System Access Risk: (4/5) Release Date: 10.07.2017Summary Pelco offers the broadest selection of IP cameras design
Publish At:2017-07-10 16:45 | Read:2943 | Comments:0 | Tags: Csrf

CVE-2017-7620 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection

[+] Credits: John Page a.k.a hyp3rlinx[+] Website: hyp3rlinx.altervista.org[+] Source:http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt[+] ISR: ApparitionSecVendor:================www.mantisbt.orgProduct:=========Mantis Bug Tracker1.3.10 / v2.3.0MantisBT is a popular free web-based bug tracking system. It is written i
Publish At:2017-05-23 07:41 | Read:3878 | Comments:0 | Tags: Csrf

WordPress 4.7.5 release addresses six security vulnerabilities

The new WordPress 4.7.5 release fixes six security vulnerabilities affecting version 4.7.4 and earlier, including XSS, CSRF, SSRF flaws. The WordPress 4.7.5 release patches six vulnerabilities affecting version 4.7.4 and earlier. The latest version addresses cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF)
Publish At:2017-05-19 11:10 | Read:3071 | Comments:0 | Tags:Breaking News Hacking CMS CSRF WordPress 4.7.5 XSS

Mailcow v0.14 CSRF Password Reset / Add Admin / Delete Domains

[+] Credits: John Page a.k.a hyp3rlinx[+] Website: hyp3rlinx.altervista.org[+] Source:http://hyp3rlinx.altervista.org/advisories/MAILCOW-v0.14-CSRF-PASSWORD-RESET-ADD-ADMIN.txt[+] ISR: ApparitionSecVendor:=============mailcow.emailmailcow.github.ioProduct:===========The integrated mailcow UI allows administrative work on your mail serverinstance as well as s
Publish At:2017-05-15 15:20 | Read:4480 | Comments:0 | Tags: Csrf

[CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15

# [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15## Product DescriptionViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at http:/
Publish At:2017-05-05 03:16 | Read:3199 | Comments:0 | Tags: Csrf

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud